Email-Worm.Win32.Nyxem is a email worm that runs on Win32 Operating Systems.
There are 10 variants (the rest are shown in later section):
- Email-Worm.Win32.Nyxem.a (this page)
Nyxem.a spreads via the Internet as an attachment to infected messages. It also spreads via Yahoo Pager and MSN Messenger.
The worm itself is written in Visual Basic, and is a PE EXE file, 76060 bytes in size. The file is packed using UPX, and the unpacked file is approximately 130KB in size.
There are two types of infected message:
Message header (chosen from the following list):
<<~SEX~>> TeenRapers.mov Asses Mpeg's FW: (-Sucking-) FW: **Hot Movie** FW: File - WebCam.mpeg FW: Lesbian & gays Mpeg Fw: My Funny Ass FW:RE: Least *21* Years FW:Re:Hot Erotic Re: Double suck (movie) RE: FW: Women Mpeg Re: Why? Form Back.mpg very hot XXX Video Clip
Message body (chosen from the following list):
- Babe sucking black Dog MPEG
- funny movie
- hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye
- Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.
- very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips
- Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!! I'm attatching a Video Clip of my wife if interested in checking it out!
- -==This server does not support Transfer Big Movies==- wo Hotttt gurls sucking a hansum cock Softly
- Watch the Paris Hilton Sex Tape for Free!
- Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips
- Here is another Vclip of my daily group :|
- All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes
- u Love asses? Here is a great ass open wide waitin for ur lil Cock
- movie attached open by media Player 7.1
- when i saw my ass i slept 3 hours why?? check my ass sorry my movie
- LOOOOOOOOL joke (^!^)
- Check This ?ucking Babe ;D
- ?ucking = Sucking=Fucking
Attachment name (chosen from the following list):
17Ag_double_suck__part.MPEG_.scr April_FromTexas.MPEG_.scr Video_briefcase_Group.MPEG_.scr Julia_1997_Fucking.MPEG_.scr juanita_in_the_kitchen.MPEG.scr After_2AM_small_room.MPEG__.scr Graham_Hilton_Sex.MPEG__.scr WebCam_12girls_Ass.mpeg_.scr Shakira_Anal_very_old.MPEG.scr why_fuck_anal_back.MPEG.scr open_girl_21year.MPEG.scr Ricky_Gay_ass.MPEG______________.scr GrahamCluley_freakin_Ass_.MPEG__.scr Sexual_Crimes.MPEG____.scr
Fw: Virus Alert
- Dear User ,
- This is A very High Resk Virus Alert.
- This email is sent to you because one or some of your friends has been infected with The W32.BlackWorm.A@mm Virus.
- And you could be infected too. This Virus has the ability to damage the hard disk.
- This Virus infects computers using many new ways :
- 1- it arrives as an email attachment inside of jpg pictures.
- 2- it infects the ip address without the victim's knowledge.
- 3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).
- Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
- Symantec Security Response has attached a removal tool to clean and prevent the infections of W32.BlackWorm.A@mm.
- Norton AntiVirus
FIX_BLACKWORM.COM SCAN.ZIP (inside - FIX_BLACKWORM.COM) SCAN.TGZ (inside - FIX_BLACKWORM.COM)
Once launched, the worm copies itself and its components to the Windows system directory. The name is chosen at random by the worm from the names of files which already exist. The worm then adds a space to the end of the name e.g.kodakprv. exe
Once the file has been created the wrom registers it in the system registry autorun key.
When launching, the worm launches Windows Media Player.
The worm uses its own library (ossmtp.dll, oswinsck.dll) to send messages via smtp.
The worm harvests email addresses from Yahoo and MSN Messenger, and also scans files with the extensions .htm and .dbx to harvest addresses.
The worm attempts to prevent antivirus programs from launching. It deletes the following registry keys:
NPROTECT ccApp ScriptBlocking MCUpdateExe VirusScan Online MCAgentExe VSOCheckTask McRegWiz McVsRte PCClient.exe PCCIOMON.exe pccguide.exe PccPfw PCCIOMON.exe tmproxy McAfeeVirusScanService NAV Agent PCCClient.exe SSDPSRV Taskmon KasperskyAv system. msgsvr32 Windows Services Host Explorer Sentry ssate.exe winupd.exe au.exe OLE
The worm attempts to conduct a DoS attack on www.nymex.com
This family has 10 variants in total: